Yang Mu,Wang Hao,Zheng Yangming,Jin Zhonghe

DOI: https://doi.org/10.1016/j.cja.2013.02.019

2013-01-01

Abstract:This paper proposes a generic high-performance and low-time-overhead software control flow checking solution, graph-tree-based control flow checking (GTCFC) for space-borne commercial-off-the-shelf (COTS) processors. A graph tree data structure with a topology similar to common trees is introduced to transform the control flow graphs of target programs. This together with design of IDs and signatures of its vertices and edges allows for an easy check of legality of actual branching during target program execution. As a result, the algorithm not only is capable of detecting all single and multiple branching errors with low latency and time overheads along with a linear-complexity space overhead, but also remains generic among arbitrary instruction sets and independent of any specific hardware. Tests of the algorithm using a COTS-processor-based on-board computer (OBC) of in-service ZDPS-1A pico-satellite products show that GTCFC can detect over 90% of the randomly injected and all-pattern-covering branching errors for different types of target programs, with performance and overheads consistent with the theoretical analysis; and beats well-established preeminent control flow checking algorithms in these dimensions. Furthermore, it is validated that GTCGC not only can be accommodated in pico-satellites conveniently with still sufficient system margins left, but also has the ability to minimize the risk of control flow errors being undetected in their space missions. Therefore, due to its effectiveness, efficiency, and compatibility, the GTCFC solution is ready for applications on COTS processors on pico-satellites in their real space missions.

Wensheng Tang,Dejun Dong,Shijie Li,Chengpeng Wang,Peisen Yao,Jinguo Zhou,Charles Zhang

DOI: https://doi.org/10.1145/3632743

IF: 3.685

2024-01-24

ACM Transactions on Software Engineering and Methodology

Abstract:Value-flow analysis is a fundamental technique in program analysis, benefiting various clients, such as memory corruption detection and taint analysis. However, existing efforts suffer from the low potential speedup that leads to a deficiency in scalability. In this work, we present a parallel algorithm Octopus to collect path conditions for realizable paths efficiently. Octopus builds on the realizability decomposition to collect the intraprocedural path conditions of different functions simultaneously on-demand and obtain realizable path conditions by concatenation, which achieves a high potential speedup in parallelization. We implement Octopus as a tool and evaluate it over 15 real-world programs. The experiment shows that Octopus significantly outperforms the state-of-the-art algorithms. Particularly, it detects NPD bugs for the project llvm with 6.3 MLoC within 6.9 minutes under the 40-thread setting. We also state and prove several theorems to demonstrate the soundness, completeness, and high potential speedup of Octopus . Our empirical and theoretical results demonstrate the great potential of Octopus in supporting various program analysis clients. The implementation has officially deployed at Ant Group, scaling the nightly code scan for massive FinTech applications.

computer science, software engineering

Jiangfang Yi,Dong Tong,Xu Cheng

DOI: https://doi.org/10.3321/j.issn:1003-9775.2006.08.001

2006-01-01

Abstract:To cope with problems such as the number of path is huge and path coverage can hardly increase rapidly.In this paper,we use control flow graph to describe the structure of hardware design language design and use techniques of data flow analysis to reduce the number of path.A genetic algorithm is used to generate stimuli and calculate the path coverage based on critical signals.Finally,we perform experiments on the functional modules of Unity-863 SoC.Experimental results show efficiency of this metric to detect design errors.

Ming Zhang,Zonghua Gu,Hong Li,Nenggan Zheng

DOI: https://doi.org/10.1109/access.2018.2852805

IF: 3.9

2018-01-01

IEEE Access

Abstract:Safety-critical embedded systems in application domains, such as aerospace, automotive, and industrial automation, must satisfy dual requirements of fault-tolerance and real-time predictability. Control flow checking is an effective technique for improving embedded systems’ reliability by online monitoring and checking of software control flow to detect runtime deviations from the control flow graph. However, inserting instrumentation code in every basic block incurs significant execution time overhead, which may cause the program to violate its timing constraints. In this paper, we propose to selectively instrument a subset of code regions that are larger than basic blocks, called super-nodes, in order to make the program partially resilient to control flow errors while keeping the program worst-case execution time (WCET) below a given upper bound. WCET analysis is invoked to estimate the program WCET and to identify the corresponding worst-case execution path (WCEP). An ILP formulation is used to judiciously select a subset of super-nodes on the WCEP for instrumentation, so that the best fault detection coverage is achieved without violating the given WCET upper bound. The optimization is repeated for each identified WCEP until the program WCET satisfies the WCET upper bound. Experimental results demonstrate significant improvements of fault detection coverage compared with related work.

Zhengyao Liu,Xitong Zhong,Xingjing Deng,Shuo Hong,Xiang Gao,Hailong Sun

2024-06-12

Abstract:Detecting defects and vulnerabilities in the early stage has long been a challenge in software engineering. Static analysis, a technique that inspects code without execution, has emerged as a key strategy to address this challenge. Among recent advancements, the use of graph-based representations, particularly Code Property Graph (CPG), has gained traction due to its comprehensive depiction of code structure and semantics. Despite the progress, existing graph-based analysis tools still face performance and scalability issues. The main bottleneck lies in the size and complexity of CPG, which makes analyzing large codebases inefficient and memory-consuming. Also, query rules used by the current tools can be over-specific. Hence, we introduce QVoG, a graph-based static analysis platform for detecting defects and vulnerabilities. It employs a compressed CPG representation to maintain a reasonable graph size, thereby enhancing the overall query efficiency. Based on the CPG, it also offers a declarative query language to simplify the queries. Furthermore, it takes a step forward to integrate machine learning to enhance the generality of vulnerability detection. For projects consisting of 1,000,000+ lines of code, QVoG can complete analysis in approximately 15 minutes, as opposed to 19 minutes with CodeQL.

Software Engineering

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Jianxin Cheng,Yizhou Chen,Yongzhi Cao,Hanpin Wang

DOI: https://doi.org/10.1016/j.infsof.2024.107517

IF: 3.9

2024-01-01

Information and Software Technology

Abstract:Vulnerability detection is critical to ensure software security, and detecting vulnerabilities in smart contract code is currently gaining massive attention. Existing deep learning-based vulnerability detection methods represent the code as a code structure graph and eliminate vulnerability-irrelevant nodes. Then, they learn vulnerability-related code features from the simplified graph for vulnerability detection. However, this simplified graph struggles to represent relatively complete structural information of code, which may affect the performance of existing vulnerability detection methods. In this paper, we present a novel Vulnerability Detection framework based on Critical Execution Paths (VDCEP), which aims to improve smart contract vulnerability detection. Firstly, given a code structure graph, we deconstruct it into multiple execution paths that reflect rich structural information of code. To reduce irrelevant code information, a path selection strategy is employed to identify critical execution paths that may contain vulnerable code information. Secondly, a feature extraction module is adopted to learn feature representations of critical paths. Finally, we feed all path feature representations into a classifier for vulnerability detection. Also, the feature weights of paths are provided to measure their importance in vulnerability detection. We evaluate VDCEP on a large dataset with four types of smart contract vulnerabilities. Results show that VDCEP outperforms 14 representative vulnerability detection methods by 5.34%–60.88% in F1-score. The ablation studies analyze the effects of our path selection strategy and feature extraction module on VDCEP. Moreover, VDCEP still outperforms ChatGPT by 34.46% in F1-score. Compared to existing vulnerability detection methods, VDCEP is more effective in detecting smart contract vulnerabilities by utilizing critical execution paths. Besides, we can provide interpretable details about vulnerability detection by analyzing the path feature weights.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

Haibo Yu,Qiang Sun,Kejun Xiao,Yuting Chen,Tsunenori Mine,Jianjun Zhao

DOI: https://doi.org/10.1109/QRS-C51114.2020.00026

2020-01-01

Abstract:Ahstract-Points-to analysis is a fundamental, but computationally intensive technique for static program analysis, optimization, debugging and verification. Context-Free Language (CFL) reachability has been proposed and widely used in demand-driven points-to analyses that aims for computing specific points-to relations on demand rather than all variables in the program. However, CFL-reachability-based points-to analysis still faces challenges when applied in practice especially for flow-sensitive points-to analysis, which aims at improving the precision of points-to analysis by taking account of the execution order of program statements. We propose a scalable approach named Parseeker to parallelize flow-sensitive demand-driven points-to analysis via CFL-reachability in order to improve the performance of points-to analysis with high precision. Our core insights are to (1) produce and process a set of fine-grained, parallelizable queries of points-to relations for the objective program, and (2) take a CFL-reachability-based points-to analysis to answer each query. The MapReduce is used to parallelize the queries and three optimization strategies are designed for further enhancing the efficiency.

Chi Li,Yuexing Wang,Min Zhou,Ming Gu

DOI: https://doi.org/10.1109/apsec53868.2021.00054

2021-01-01

Abstract:Precise static analysis is necessary for an industrial environment to ensure reliability and security, which is usually field-sensitive and inter-procedural. However, it faces the problem of insufficient scale capability when being applied to various industrial environments: (1) Field-sensitive analysis can not assure termination if field accesses are modeled by unbounded access paths; (2) Inter-procedural analysis may lead to path explosion problems because of the unbounded length of call chains. While using longer access paths or call chains can improve precision, the analysis may have poor performance in terms of efficiency. Specifically, an industry-strength method should be scalable enough to face different applications. This paper presents a scalable fault detection method based on the precise access path. Precise access path models a memory location with accurate operations and offsets from a source. Points-to relations of variables are used to refine it. It can differentiate elements of aggregate structures and is more precise than the ordinary access path. Based on the precise access path, we perform an inter-procedural analysis with the help of an intra-procedural analysis and combined function summary. Furthermore, our method is designed backward to detect error handling bugs. Compared with the state-of-the-art tools, our method is more scalable, with higher precision and efficiency on both benchmarks and 11 widely-used applications.

Pingpeng Yuan,Changfeng Xie,Ling Liu,Hai Jin

DOI: https://doi.org/10.1109/tpds.2016.2518664

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Large scale iterative graph computation presents an interesting systems challenge due to two well known problems: (1) the lack of access locality and (2) the lack of storage efficiency. This paper presents PathGraph, a system for improving iterative graph computation on graphs with billions of edges. First, we improve the memory and disk access locality for iterative computation algorithms on large graphs by modeling a large graph using a collection of tree-based partitions. This enables us to use path-centric computation rather than vertex-centric or edge-centric computation. For each tree partition, we re-label vertices using DFS in order to preserve consistency between the order of vertex ids and vertex order in the paths. Second, a compact storage that is optimized for iterative graph parallel computation is developed in the PathGraph system. Concretely, we employ delta-compression and store tree-based partitions in a DFS order. By clustering highly correlated paths together as tree based partitions, we maximize sequential access and minimize random access on storage media. Third but not the least, our path-centric computation model is implemented using a scatter/gather programming model. We parallel the iterative computation at partition tree level and perform sequential local updates for vertices in each tree partition to improve the convergence speed. To provide well balanced workloads among parallel threads at tree partition level, we introduce the concept of multiple stealing points based task queue to allow work stealings from multiple points in the task queue. We evaluate the effectiveness of PathGraph by comparing with recent representative graph processing systems such as GraphChi and X-Stream etc. Our experimental results show that our approach outperforms the two systems on a number of graph algorithms for both in-memory and out-of-core graphs. While our approach achieves better data balance and load balance, it also shows better speedup than the two systems with the growth of threads.

Rulin Xu,Xiaoguang Mao,Wei Xiao

DOI: https://doi.org/10.1109/CSECS60003.2023.10428132

2023-01-01

Abstract:C language programs are often subject to memory vulnerabilities, posing substantial security risks to software systems. Conventional detection techniques, rooted in static value-flow analysis, necessitate exhaustive searches across the entirety of value-flow graphs. This approach results in inefficient analyses of large-scale codes and presents difficulties in parallelization due to interdependent steps. In this study, we propose an innovative approach based on parallel graph summarization. This technique effectively transforms the computational bottleneck into a task that can be expedited in a parallel manner, leveraging multicore computation to significantly enhance the performance and scalability of vulnerability detection within <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs. We segment the value-flow graph of the program into multiple subgraphs, extracting summaries of three pivotal types of information from each subgraph: path summaries, guard summaries, and behaviour summaries. These summaries significantly stream-line subsequent vulnerability detection analyses. Moreover, we implement a task-level parallel technique to accelerate the graph summary process in a multicore environment. Notably, empirical results reveal that our method, while ensuring accuracy, achieves 2.7X-6.1X speedup compared to serial algorithms. When assessed against prevalent open-source detection tools, our approach demonstrates superior trade-offs between accuracy and efficiency. In conclusion, this research presents an efficient and effective strategy for vulnerability detection in larze-scale <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$C$</tex> programs.

Xinyang Wang,Yaqiu Jiang,Wenhong Tian

2015-01-01

Abstract:Testing is the one of most significant quality assurance measures for software. It has been shown that the software testing is one of the most critical and important phases in the life cycle of software engineering. In general, software testing takes around 40-60% of the effort, time and cost. Structure-oriented test methods define test cases on the basis of the internal program structures and are widely used. Path-based test is one of the important Structure-oriented test methods during software development. However, there is still lack of automatic and highly efficient tool for generating basic paths in white-box testing. In view of this, an automatic and efficient method for generating basic paths is proposed in this paper. This method firstly transforms the source-code program into corresponding control flow graph (CFG). By modifying the original CFG to a strongly connected graph, a new algorithm (ABPC) is designed to automatically construct all basic paths. The ABPC algorithm has computational complexity linear to the number of total edges and nodes in the CFG. Through performance evaluation of many examples, it is shown that the proposed method is correct and scalable to very large test cases. The proposed method can be applied to basis path testing easily.

Zizheng Guo,Mingwei Yang,Tsung-Wei Huang,Yibo Lin

DOI: https://doi.org/10.1109/tcad.2021.3124758

2021-01-01

Abstract:Common path pessimism removal (CPPR) is imperative for eliminating redundant pessimism during static timing analysis (STA). However, turning on CPPR can significantly increase the analysis runtime by $10-100\times$ in large designs. Recent years have seen much research on improving the algorithmic efficiencies of CPPR, but most are architecturally constrained by either the speed-accuracy trade-off or design-specific pruning heuristics. In this paper, we introduce a novel CPPR algorithm that is provably good and practically efficient. We have evaluated our algorithm on large industrial designs and demonstrated promising performance over the current state-of-the-art. As an example, our algorithm outperforms the baseline by $36-135\times$ faster when generating the top-10K post-CPPR critical paths on a million-gate design. At the extreme, our algorithm with one core is even $4-16\times$ faster than the baseline with 8 cores.

Darius Foo,Jason Yeo,Hao Xiao,Asankhaya Sharma

DOI: https://doi.org/10.48550/arXiv.1909.00973

2019-09-03

Software Engineering

Abstract:Developers today use significant amounts of open source code, surfacing the need for ways to automatically audit and upgrade library dependencies, and giving rise to the subfield of Software Composition Analysis (SCA). SCA products are concerned with three tasks: discovering dependencies, checking the reachability of vulnerable code for false positive elimination, and automated remediation. The latter two tasks rely on call graphs of application and library code to check whether vulnerability-specific sinks identified in libraries are used by applications. However, statically-constructed call graphs introduce both false positives and false negatives on real-world projects. In this paper, we develop a novel, modular means of combining call graphs derived from both static and dynamic analysis to improve the performance of false positive elimination. Our experiments indicate significant performance improvements.

Kejun XIAO,Haibo YU,Yuting CHEN,Hao ZHONG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2016.11.012

2017-01-01

Abstract:Many demand-driven points-to analysis techniques are proposed to suit some environments bounded by strict limits of time and memory usage.Improving the demand-driven points-to analysis in a flow sensitive manner helps achieve precise points-to relations for some variables.Due to the existence of strong flow and data dependencies in the large-scale software systems,it is difficult in identifying effectively all the program statements contributing to the points-to relations of the objective variables.This paper proposes a flow-sensitive program representation approach and defines a notion of Context Free Language(CFL)reachability which helps explore all the flow-sensitive points-to relations for the objective variables.It also develops a Seeker tool,which can compute the points-to sets of the variables of interest. Experimental results show that the demand-driven points-to analysis algorithm improves the efficiency of the Flow Sensitive Context Insensitive(FSCI)points-to analysis.

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Yulu Cao,Lin Chen,Zhifei Chen,Jiacheng Zhong,Xiaowei Zhang,Linzhang Wang

DOI: https://doi.org/10.1142/s0218194024500104

IF: 1.007

2024-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Call graphs facilitate various tasks in software engineering. However, for the dynamic language Python, the complex language features and external library dependencies pose enormous challenges for building the call graphs of real projects. Some program analysis techniques used for call graph construction in other languages are impractical for Python. In this paper, we present STAR, a practical technique for the construction of Python static call graphs. We reformulate call graph construction as an entity identification task. STAR leverages inter-module summary and cross-project dependencies to construct a fine-grained entity knowledge base to identify the possible nodes and edges of the call graph in the code, and then construct the call graph. Our evaluation of three benchmarks shows that (1) STAR improves recall in three benchmarks compared to three baseline tools. Especially, STAR improves the recall of reachable nodes and reachable edges compared with the state-of-the-art tool by 11.3% and 9.8%, respectively; (2) STAR achieves comparable performance as three baseline tools in execution time and memory usage and is more efficient in large projects; (3) STAR can be effectively used for the task of detecting vulnerability propagation with real-world cases. We expect our results will attract more exploration of practical methods and improve the application of Python call graphs.

Yuexing Wang,Min Zhou,Yu Jiang,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ase.2017.8115706

2017-01-01

Abstract:To reduce the false positives of static analysis, many tools collect path constraints and integrate SMT solvers to filter unreachable execution paths. However, the accumulated calling and computing of SMT solvers are time and resource consuming. This paper presents TsmartLW, an alternate static analysis tool in which we implement a path constraint solving engine to speed up reachability determination. Within the engine, typical types of constraint-patterns are firstly defined based on an empirical study of a large number of code repositories. For each pattern, a constraint solving algorithm is designed and implemented. For each program, the engine predicts the most suitable strategy and then applies the strategy to solve path constraints. The experimental results on some well-known benchmarks and real-world applications show that TsmartLW is faster than some state-of-the-art static analysis tools. For example, it is 1.32× faster than CPAchecker and our engine is 369× faster than SMT solvers in solving path constraints. The demo video is available at https://www.youtube.com/watch?v=5c3ARhFclHA&t=2s.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).